LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-27-2003, 12:27 PM   #1
hanxuerui
LQ Newbie
 
Registered: Mar 2003
Location: Edmonton
Distribution: slackware
Posts: 27

Rep: Reputation: 15
How to disable an account from remote accessing


I have a few accounts used as service account, I am wondering is there a way to let the user id work but can not accessed from out side, for example, if user try to ssh by using this id, the server will refuse the request.

Thanks.

Any hint is appreciated.
 
Old 06-27-2003, 01:02 PM   #2
MArgRes
Member
 
Registered: Jun 2003
Distribution: Fedora Core 2
Posts: 37

Rep: Reputation: 15
If you mean that nobody should connect to the accounts, you can put an '/sbin/nologin' at the end of their /etc/passwd entry...
 
Old 06-27-2003, 02:25 PM   #3
hanxuerui
LQ Newbie
 
Registered: Mar 2003
Location: Edmonton
Distribution: slackware
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks, MArgRes, but what if I need su to this account? will it allow you su to it?
 
Old 06-27-2003, 04:25 PM   #4
MArgRes
Member
 
Registered: Jun 2003
Distribution: Fedora Core 2
Posts: 37

Rep: Reputation: 15
Nope. That will disallow any login attempts for that account. I'm not sure if there is a way to only disallow logins on certain accounts from the outside...
 
Old 06-27-2003, 05:30 PM   #5
beltorak
LQ Newbie
 
Registered: Dec 2002
Distribution: slackware 8.1
Posts: 15

Rep: Reputation: 0
edit '/etc/login.access'; add the following line:
Code:
-:deny_this_account and_this_one etc etc_etc:ALL EXCEPT LOCAL
The term 'account' applies to users and groups. The primary group of a user is not consulted, however, so you might want to create a group (no_remote), and add all users that you want to deny remote logins to that group, the use: '-:no_remote:ALL EXCEPT LOCAL'.

-t.
 
Old 06-27-2003, 05:32 PM   #6
hanxuerui
LQ Newbie
 
Registered: Mar 2003
Location: Edmonton
Distribution: slackware
Posts: 27

Original Poster
Rep: Reputation: 15
That is still appreciated. Let's wait and see, I will dig into some document when I get a chance.
 
Old 06-30-2003, 07:15 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
I have a few accounts used as service account, I am wondering is there a way to let the user id work but can not accessed from out side, for example, if user try to ssh by using this id, the server will refuse the request.
You should use the DenyGroups and DenyUsers directives.
"man sshd_config" for more info.
 
Old 06-30-2003, 09:05 AM   #8
hanxuerui
LQ Newbie
 
Registered: Mar 2003
Location: Edmonton
Distribution: slackware
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks everybody. Let me give it a try.

Last edited by hanxuerui; 06-30-2003 at 09:07 AM.
 
Old 06-30-2003, 09:19 AM   #9
hanxuerui
LQ Newbie
 
Registered: Mar 2003
Location: Edmonton
Distribution: slackware
Posts: 27

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by beltorak
edit '/etc/login.access'; add the following line:
Code:
-:deny_this_account and_this_one etc etc_etc:ALL EXCEPT LOCAL
The term 'account' applies to users and groups. The primary group of a user is not consulted, however, so you might want to create a group (no_remote), and add all users that you want to deny remote logins to that group, the use: '-:no_remote:ALL EXCEPT LOCAL'.

-t.
This does not work for ssh, I am guessing it must be something about telnet?

I would like to hear more about this file.
 
Old 07-02-2003, 08:35 PM   #10
beltorak
LQ Newbie
 
Registered: Dec 2002
Distribution: slackware 8.1
Posts: 15

Rep: Reputation: 0
Ahh; so you are right... silly me. Try the file '/etc/ssh/sshd_config'. Read the man page for it, and look at the entries for "AllowGroups', 'AllowUsers', 'DenyGroups', and 'DenyUsers'.

-t.
 
Old 07-17-2003, 08:54 AM   #11
mastahnke
Member
 
Registered: Feb 2002
Location: IL
Distribution: Ubuntu currently, also Fedora, RHEL, CentOS
Posts: 111

Rep: Reputation: 15
Put a * in the password field for that user. Then you can su - to that user, because with a * in pw field, you can't log in.
 
Old 07-17-2003, 10:09 AM   #12
hanxuerui
LQ Newbie
 
Registered: Mar 2003
Location: Edmonton
Distribution: slackware
Posts: 27

Original Poster
Rep: Reputation: 15
Thank you. So many tricks. Hope there are some book out somewhere.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Root's account has been disable by system administrator Tidus4Yuna Red Hat 4 11-15-2005 11:41 PM
Disable an account for 45 minutes tonyfreeman Linux - Security 2 10-31-2004 05:01 PM
Disable passwd change for user account sodhilogin Linux - General 6 09-01-2004 12:43 AM
Blocking an account from accessing the internet. magnum818 Linux - Security 2 12-03-2003 01:50 AM
Accessing from Windoze: How to activate guest account? Seppel Linux - Networking 2 09-17-2003 05:14 AM


All times are GMT -5. The time now is 02:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration